Introduction
Cars can do almost anything these days. You can cool off while playing music on Bluetooth. You can chat with the console to ask for directions. They know when you’re straying over the yellow lines, and some cars can even predict and then stop a collision!
With all that automation and advanced technology, it shouldn’t surprise you at this point that cybercriminals are finding ways to exploit and hack into your smart cars. They can remotely unlock your doors or track your GPS location, if they know how to do it.
Now, experts have identified a flaw in the API security that’s used in cars from 16 major manufacturers.
The Vulnerability, Exposed
First, what is API?
It means Application Programming Interface, and basically lets software securely communicate with each other. Your phone can do this, which is how it gives you information like the time; your phone knows because a time sync broadcast connects it to an atomic clock. (The time sync broadcast is the API in this scenario.)
API exploits take advantage of API vulnerabilities, which are basically weak spots in the armor. They can be manipulated and exposed so that the cybercriminal can steal data or affect internal processes.
In this case, the hacker could start fiddling with the features on your smart car. They can flash your headlights, run your windshield wipers and turn on your radio. The more wired in your ride is, the more options for a cybercriminal to have their fun.
Mercedes, BMW, Ferrari, Jaguar, Porsche, Toyota, Landrover, and Rolls Royce were amongst the car models at risk. Altogether, millions of vehicles could be affected by these vulnerabilities.
Potential Threats at Hand
At least 20 API flaws were found in these vehicles. If they were exploited, hackers might be able to…
- take over accounts as either an employee or customer via a remote code execution (RCE).
- sneak into your single sign-on accounts and use internal applications.
- find your sales documents, including your name, address and phone number.
- find the car’s unique VIN.
- get your location.
- affect firmware.
- take over everything from golf carts to ambulances.
They could do something as physically dangerous as stop the engine on your car, to something as distressing as identity theft. Even cars aren’t safe from the Dark Web!
Conclusion
Owners of these vehicles can sleep better knowing that the manufacturers have released patches for these vulnerabilities. The mere existence of these security flaws, however, demonstrate how wide a reach that the Internet has over our daily lives and how threat actors will look for a way to exploit every inch of it.
This also shows why we need to make software updates automatically or ASAP, to patch dangerous vulnerabilities before they’re exploited. Make sure you’re keeping an eye on your manufacturers’ announcements about potential threats to your internet-connected devices, and when new updates come out to keep your safer.
References